Don’t Get Burned by the Browser Crackdown on Insecure Sites

October 6, 2017, Chris Duckers

When properly issued, SSL certs, data files that digitally bind a cryptographic key to an organization’s details, allow secure connections from a web server to a browser and help users validate the legitimacy of the site that they are using.

However, all too often, organizations lack, or have expired SSL certificates on their web assets, which can be hazardous to those visiting their sites, and therefore, harmful to their businesses. But recently, Google began sending out notices to site owners reminding them that with version 62 of its Chrome browser—scheduled to be released on October 24—they’ll require websites with any text input to have an SSL certificate lest a “NOT SECURE” warning pop up in their browser’s omnibox.

This crackdown, which affects any site in which users can enter data, will affect a surprising amount of businesses.When analyzing a sample size of 154 workspaces of customers that have at least 3,000 confirmed assets, RiskIQ found that, on average, each workspace had 9,712 unique URLs that were classified as insecure forms.

Fig-1 Results from our research of 154 workspaces

Not only that, RiskIQ also identified 100K live websites belonging to FT-30 organizations in the UK. Of those, 13K pages were collecting PII, an average of 400 pages per organization. A third of these pages are still collecting information insecurely, either through lack of encryption or by using very old, vulnerable encryption algorithms. Insecure collection of PII can affect consumers through loss and fraudulent use of their personal data, and organizations through loss of revenue, brand reputation and damages. Under GDPR those damages can be considerable if collected data is compromised.

What is an SSL Certificate?

‘SSL’ has become an umbrella term that is used to describe both the original SSL, or Secure Sockets Layer encryption method, and the newer, more secure Transport Sockets Layer, or TLS method. Essentially, when people refer to ‘SSL,’ they just mean establishing a secure, encrypted connection between a web server and a client. At their basis, SSL certs are powerful security measures that, for the most part, protect against threats on insecure networks, such as man-in-the-middle attacks.

SSL certs make use of various types of symmetric and asymmetric encryption algorithms when sending information between a web server and a client in a process known as the ‘SSL handshake.’ The SSL handshake occurs on top of the Transmission Control Protocol layer (TCP) and involves an exchange of public (and sometimes private) keys between the server and the client or the server and another server, resulting in a secured connection. Once the handshake is established, a client’s browser will visually display a URL as ‘HTTPS.’

The Problem with SSL Certs

Even if your assets do have SSL encryption, they may still be problematic. For example, Google, along with Microsoft and Mozilla, have all publicly announced plans to disable support for certificates using outdated SHA-1 hashes and Symantec’s failure to adequately validate the certificate owner at time of issuance has resulted in a loss of trust in their certificates by browser makers.

It’s not that most security teams are negligent, either—while HTTPS or Hypertext Transfer Protocol Secure has been around for years, it is only now becoming the standard baseline for internet security. Recently, RiskIQ examined data from ten of our Digital Footprint customers who also happen to be large financial institutions. While there was variation in the size of each digital footprint, all ten customers had noticeable security flaws related to their assets having either expired SSL Certificates or using obsolete SHA-1 hashes. On average, each customer had roughly 38 assets using expired SSL Certificates, with one outlier.

Know your Digital Footprint, Know your Risk

Lacking SSL encryption can have an immediate negative business impact. When end users confront alarming warnings from top web browsers stating “Secure Connection Failed,” their trust in the website can quickly erode.

Using a network of tens of thousands of these virtual users, we scan the entire internet millions of times per hour, collecting telemetric data to produce a dynamic index of your web attack surface. This process illuminates websites, mobile apps, URLs, web page content, ASNs, IPs, and nameservers, many of which aren’t currently in your inventory. RiskIQ uncovers all digital assets that appear online that tie back to your organization, enabling your security team to understand the attack surface outside your firewall, bring unknown assets under management, and survey your digital footprint from the view of a global adversary.

Digital Footprint provides continuous monitoring of these web assets to highlight compromised web infrastructure and web compliance issues such as expired SSL certificates and the use of now obsolete SHA-1 certs. Furthermore, notifications are sent to our Digital Footprint customers whose certifications are set to expire at both the 90 and 60-day marks so that they may be addressed before they become a critical security issue. SSL Certifications are the first line of defense against external threat actors and, as such, should always be appropriately updated/configured.

Once you have an accurate picture of your digital footprint, it is far easier to understand and implement mitigation techniques to ensure that all of your external assets are protected. This inventory of your assets is also critical for compliance with numerous industry regulations.

Signing up for RiskIQ Community Editionnow gives you access to one of the most popular RiskIQ products–Digital Footprint. When you sign up or sign in with your organizational email address, you get a glimpse into your organization’s attack surface.